Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

Displaying Audit Service Defaults

The audit service is regulated by the following parameters:

  • Classes of attributable and non-attributable events

  • Audit policy

  • Audit plugins

  • Queue controls

To display the audit service defaults, you typically use auditconfig -get* subcommand. This subcommand displays the current configuration of the parameter that is represented by the asterisk (*), such as –getflags –getpolicy, or –getqctrl. To display information about classes for non-attributable events, use the auditconfig -getnaflags subcommand.

For more information about the auditconfig command, see the auditconfig (1M) man page.

Note -  To display the audit service configuration, you must become an administrator who is assigned the Audit Configuration or Audit Control rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

The following examples show the appropriate command syntax to use to display the default audit configuration settings.

Example 3-1  Displaying Default Class for Events

In this example, two subcommands are used to display the preselected classes for attributable and non-attributable events respectively. To see which events are assigned to a class, and therefore which events are being recorded, run the auditrecord -c class command.

# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)

lo is the flag for the login/logout audit class. The format of the mask output is (success,failure).

# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)
configured non-attributable audit flags = lo(0x1000,0x1000)
Example 3-2  Displaying the Default Audit Policy
$ auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt

The active policy is the current policy, but the policy value is not being stored by the audit service. The configured policy is stored by the audit service, so the policy is restored when you restart the audit service.

Example 3-3  Displaying the Default Audit Plugins
$ auditconfig -getplugin
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1;

Plugin: audit_syslog (inactive)
Attributes: p_flags=;

Plugin: audit_remote (inactive)
Attributes: p_hosts=;p_retries=3;p_timeout=5;

The audit_binfile plugin is active by default.

Example 3-4  Displaying the Audit Queue Controls
$ auditconfig -getqctrl
no configured audit queue hiwater mark
no configured audit queue lowater mark
no configured audit queue buffer size
no configured audit queue delay
active audit queue hiwater mark (records) = 100
active audit queue lowater mark (records) = 10
active audit queue buffer size (bytes) = 8192
active audit queue delay (ticks) = 20

The active queue control is the queue control that is currently used by the kernel. The string no configured indicates that the system is using the default values.